vectorfusionart - stock.adobe.co
Public sector organisations are taking significantly longer than stipulated by the General Data Protection Regulation (GDPR) to respond to requests from individuals about the information held about them.
Research reveals public sector organisations have a lot of work to do if they are to avoid heavy fines for failing to respond to subject access requests (SARs) in the legal timeframe. Anyone can make an SAR to find out what information an organisation holds about them.
During the research, one public sector organisation even made an error and sent information about the wrong person to researchers, while another took almost a year to respond to a SAR.
The test was run by IT services company Bluesource, which made subject access requests to 30 public sector organisations – including the Bank of England, London Fire Brigade, the Metropolitan Police, HM Treasury, Bexley London Borough Council and the Crown Prosecution Service (CPS).
The vast majority (84%) of those organisations took significantly longer to respond to SARs than the 30 days they will have to respond once GDPR becomes law on 25 May 2018. Researchers had to wait for 351 days for a response to one of the SARs they submitted.
Organisations risk substantial fines if they fail to comply with the rules of GDPR.
Read more about GDPR compliance
- Survey finds most IT decision makers in the UK are critical of the government for failing to educate organisations about the General Data Protection Regulation and its implications, and few have a clear understanding of it.
- EU General Data Protection Regulation has organisations worldwide rethinking storage management to their own and their customers’ benefit.
- Surveys indicate there is still confusion about the GDPR, but focus has shifted from the sanctions to the benefits.
Part of the problem is the growing volume of requests being submitted, with SARs having risen by 138% over the past three years for the 30 organisations surveyed. Despite the increase, Bluesource found that less than a third of the organisations had dedicated members of staff to deal with SARs.
On the bright side, according to the study, 16% of organisations were better prepared to meet GDPR’s SAR response time, which is currently 40 days but will drop to 30 days in May.
Bluesource ranked organisations on their performance based on requests for the year 2016-2017.
The government organisations found to require the greatest improvement were the Metropolitan Police, Bexley London Borough Council and the Crown Prosecution Service. Of 3,935 requests made to the Metropolitan Police, 1,058 were processed outside the current 40-day time limit. The CPS received 251 requests, with 89 taking longer than 40 days to respond to. Bexley London Borough Council failed on 26 occasions to respond within the 40 day limit.
Bexley is not alone. A recent survey by the Information Commissioner’s Office (ICO) revealed that many local councils still have work to do to become compliant with the EU General Data Protection Regulation.
The Bank of England and the London Fire Brigade were also listed as needing to improve response times.
The Care Quality Commission was the best performing public sector organisation when it came to responding to SARs, taking an average of 16.1 days to respond.
“Our research demonstrates that more people are taking an interest in how their information is processed, stored and shared. Unfortunately, many major public sector organisations are currently failing to address the influx of SARs and to ensure that they are GDPR-compliant after May 2018,” said Andrew North, commercial director at Bluesource.
“Clearly, swift improvement is required by these organisations. To avoid fines, they need to put strict data policies in place, ensure staff are appropriately trained and employ the correct data management and discovery technologies too.”